SUMO LOGIC

SumoLogic_Logo_SumoBlue_RGB_@2x

 

Visión General

Tiene una fecunda historia...
Desde sus humildes inicios como colaboradores en Apache Maven, hasta respaldar el mayor repositorio público del mundo o distribuir el administrador de repositorio más difundido mundialmente -- Sonatype cuenta con una larga historia de aceleración de innovación de software.
Saben lo que otros ignoran...
Han visto ir y venir miles de millones de componentes y han ido tomando notas en el camino. Han construido una base de datos que combina información pública e información de propiedad exclusiva con investigación y análisis de expertos. Saben más sobre los componentes que nadie en el mundo.
Le hacen más inteligente...
Un asombroso caudal de componentes a través de entornos de desarrollo modernos. Si son adecuadamente generados y administrados, estos elementos aportan una inmensa energía para acelerar la innovación. De lo contrario, llevan a vulnerabilidades, riesgos, repetición de procesos y desperdicio.
Automatizan la cadena de suministros de software...
Sonatype existe para automatizar el flujo de componentes de calidad a través de las cadenas de suministros de software. Hoy, más de 90 000 instalaciones de productos Nexus aceleran la calidad, la seguridad y la entrega del software en entidades de software en todo el mundo.
Identificar y consumir los mejores componentes de los mejores proveedores.
Organizar, almacenar y distribuir continuamente componentes de calidad.
Emplear solo los mejores componentes para construir aplicaciones más rápidamente a escala.
Rastrear la ubicación precisa de cada componente ahora

Nexus_Repository Logo

 

Nexus Repository

 La mejor manera del mundo de organizar, almacenar y distribuir componentes de software.

 Un lugar para cada cosa y cada cosa en su lugar. 

Olvide los días de compilaciones estancadas debido a componentes faltantes o indisponibles. Nexus Repository Pro se ha convertido, para sus equipos, en la fuente única y más confiable en cuanto a los componentes que necesitan y cuando los necesitan. 

Una forma más inteligente de intermediar. 

¿Equipo distribuido? No hay problema. Si se enfrenta al reto de organizaciones múltiples o equipos repartidos en todo el mundo, la funcionalidad Smart Proxy de Nexus Repository Pro asegura al equipo una instancia local siempre actualizada con la última versión de los componentes que necesita. 

La salud de los componentes es imprescindible. 

La comprobación de la salud del repositorio ofrece una lista detallada de las vulnerabilidades de seguridad y de los problemas de observancia de licencias de cualquiera de los componentes de código abierto encontrados dentro de los repositorios. 

Cuenta con nuestro respaldo. 

Construido exactamente sobre la misma base que nuestra difundida solución OSS; Nexus Repository Pro incluye asistencia a empresas y relación con los expertos que siempre están dispuestos a ayudarle.

Dé la bienvenida a Repository Manager

Nexus Repository Pro está sustentado por Repository Manager, la misma tecnología que nuestra versión OSS con más de 100,000 instalaciones en todo el mundo. 

Construido sobre las espaldas de Maven, Repository Manager respalda hoy todos los formatos de componentes más difundidos y concentra su organización de desarrollo. 

Repository Manager le facilita una comprensión instantánea de la seguridad potencial de componentes, licencia y problemas de calidad, permitiendo que los equipos apliquen las medidas correctivas de manera anticipada y rápida. 

luye funcionalidades de preproducción y de versión, ofreciendo apoyo en procesos de operaciones y de control de calidad, previos a la producción. 

Utilizando la tecnología proxy avanzada, Repository Manager, garantiza que sus equipos siempre tengan acceso a los componentes adecuados cuando los necesiten.

COMPARATIVA DE VERSIONES

   Feature

2.x OSS

2.x Pro

3.x OSS

3.x Pro

   Bower

 

 

X

X

   Docker

 

 

X

X

   Maven

X

X

X

X

   npm

Limited

Limited

X

X

   NuGet

X

X

X

X

   PyPI

 

 

X

X

   RubyGems

 

 

X

X

   YUM

X

X

X

X

   S3 Blobstore Plugin

   

          X          

         X

   High Availability Clusters

 

 

 

        X

   Upgrading 2x to 3x

 

 

X

X

   Unlimited Deployment

X

X

X

X

   Component Search

Limited

X

X

X

   Upload Third Party Artifacts to UI

Limited

Limited

X

X

   Repository Health Check (RHC)

X

X

X

X

   Custom Metadata

 

X

     

Planned

   Improved Backup & Restore

 

 

X

X

   Provisioning API

 

 

X

X

   REST

X

X

X

X

   Plugins

X

X

See Below

See Below

   Open Source Integration

X

X

X

X

   Auth Token Support

 

X

X

X

   Custom Access Controls

X

X

X

X

   Repo Targets / Content Selectors

X

X

X

X

   Enterprise LDAP

 

X

 

X

   P2

 

X

Community

Community

   OBR

 

X

Planned

Planned

   Crowd

 

X

 

X

   Smart Proxy

 

X

 

Planned

   Staging & Build Promotion

 

X

 

X

   Community Support

X

X

X

X

   Enterprise Support

 

X

 

X

Plugins

 

Nos encantan tus plugins y la comunidad de usuarios del repositorio Nexus ya ha empezado a desarrollar algunos. De hecho, ya existe una implementación de código abierto del formato apt. Si ha creado un plugin de Nexus Repository Manager, contacte con nuestro Community Advocate y le ayudaremos en el proceso de compartirlo con otros usuarios de repositorios de Nexus. Vea la lista completa de plugins en Nexus Exchange.

 

Nexus_Firewall Logo copia

 

Nexus Firewall 

Controle el perímetro de su cadena de suministros de software.

Cree sus propios principios o haga uso de uno de los nuestros. 

En el núcleo de Nexus Firewall está IQ Server, que provee una gestión de normas completamente personalizable para identificar y proteger sus repositorios, así como información detallada sobre cada componente que encuentra. 

El celoso guardián de sus repositorios. 

Las funcionalidades de auditoría de Nexus Firewall le advierten automáticamente si los componentes no están cumpliendo con las normas que usted ha establecido en su repositorio. Mejor aún, esta información aparece directamente en la interfaz de su Administrador de Repositorio Nexus, dando acceso a la información detallada a través de IQ Server. 

Contenga los componentes indeseables en su fuente. 

La puesta en cuarentena ofrece a su equipo la capacidad táctica de imposibilitar completamente cualquier intrusión al repositorio. Pero no se preocupe, también puede levantar la cuarentena y autorizar los componentes de manera selectiva si es necesario. 

No solo vigile la entrada, sino también la salida. 

Aunque Nexus Firewall protege continuamente sus repositorios, algunos componentes indeseables pueden infiltrarse en su cadena de suministro de software por otros medios. Así pues, Nexus Firewall le proporciona igualmente un control sobre repositorios de preproducción o de versión, por lo que puede impedir que las versiones no autorizadas entren en producción.

Dé la bienvenida a IQ Server- El cerebro de la operación

Nexus Firewall está sustentado por IQ Server, una aplicación que funciona directamente con su Administrador de repositorio Nexus y se extiende para servir a toda su organización de desarrollo. 

IQ Server está diseñado para que sus equipos lleguen a un conocimiento de componentes en cuanto hayan identificado un componente que desean utilizar. 

Con IQ Server, motor de principios completamente personalizable, usted decide cuáles componentes deben entrar en su cadena de suministro o salir de las aplicaciones internas aptas para la producción. 

IQ Server ofrece el análisis de auditoría y cuarentena en conexión directa, así como la protección para sus repositorios. 

IQ Server permite definir y automatizar acciones cuando una norma es violada, así como supervisar aplicaciones en producción en caso de problemas futuros.

Nexus_Lifecycle Logo

 

Nexus Lifecycle 

Controle el flujo de componentes a través de su cadena de suministros de software.

La libertad de principios flexibles. 

Nexus Lifecyle le ofrece un control total de su cadena de suministros de software y le permite definir las reglas, acciones y principios que funcionen mejor dentro de su organización y entre sus equipos.

Integración en cada punto del desarrollo de su ciclo de vida

Nexus Lifecyle asimila directamente las herramientas de desarrollo que sus equipos utilizan actualmente: Eclipse, IntelliJ, Jenkins, Bamboo, y SonarQube, por solo mencionar algunas. 

Tranquilidad en cada etapa del camino. 

El desarrollo de aplicaciones modernas es un esfuerzo en movimiento continuo y rápido. Usando las posibilidades de gestión de principios personalizada, mediante IQ Server incluido, Nexus Lifecyle automatiza acciones y decisiones, de manera que su equipo pueda centrarse en sus propias competencias: la realización de un gran software.

Sólido paquete de API REST.

Llega el momento en el que los equipos necesitan una solución única y personalizada. Si está buscando información de componentes o tratando de evaluar las aplicaciones de una herramienta personalizada, Nexus Lifecyle proporciona escalabilidad para trabajar con su organización en todos los sentidos que pretenda. 

Dé la bienvenida a IQ Server- El cerebro de la operación
Nexus Lifecyle está sustentado por el servidor IQ, una aplicación diseñada alrededor de conceptos de conocimiento de componentes y de calidad.  IQ Server está diseñado para compartir conocimiento de componentes con sus equipos de manera anticipada y frecuente, a través de la cadena de suministro de software, de modo que puedan optar por las mejores alternativas posibles.  Con IQ Server, motor de principios completamente personalizable, usted decide cuáles componentes son aceptables y cuáles no lo son.  IQ Server se integra con las herramientas de desarrollo más difundidas, que incluyen -entre otras: Maven, Eclipse, IntelliJ, Bamboo, Jenkins y SonarQube.  IQ Server suministra un paquete completo de API REST con asistencia, que da acceso a las funciones centrales para implementaciones personalizadas.

 

Nexus_Auditor Logo

 

Nexus Auditor

Conozca con precisión la intimidad de su software.

Todo lo que necesita saber sobre su software. 

Dispone de una gran flexibilidad para efectuar evaluaciones a petición del usuario gracias a una interfaz intuitiva o bien directamente a partir de la línea de comandos. 

Análisis de resultados en minutos. 

Cada evaluación genera un diagnóstico preciso, normalmente en menos de un minuto con conocimiento de componentes, validado por los expertos de Sonatype y localizado por componente y por posibles dependencias transitivas. 

Definición de reglas, automatización de resultados. 

El principio completamente personalizable permite que el usuario determine las reglas que desea aplicar. Así pues, cuando se detectan componentes indeseables, el usuario sabrá automática y exactamente la índole y la ubicación del inconveniente, así como las soluciones que le facilitarán la selección de nuevas versiones, más seguras o más aplicadas. 

Supervisión continua de las aplicaciones en producción. 

La gestión y la conformidad van más allá del lanzamiento; nuestro conocimiento de componentes se actualiza permanentemente y gracias a una política de supervisión, el usuario recibe la información cuando se presentan nuevos problemas en componentes o cuando se descubran los anteriormente desconocidos.

Dé la bienvenida a IQ Server- El cerebro de la operación

Nexus Auditor está sustentado por IQ Server, una aplicación diseñada alrededor de conceptos de conocimiento de componentes y de calidad. 

Con IQ Server, motor de principios completamente personalizable, usted crea las reglas para determinar cuáles componentes son aceptables y cuáles no lo son. 

IQ Server proporciona la composición de cada aplicación evaluada e incluye una lista de materiales distribuible. 

Por cada aplicación evaluada, IQ Server proporciona un informe detallado e ingresa datos en un cuadro de mandos centralizado con información de seguridad, licencia y calidad.

 



Sonatype’s 2018 State of the Software Supply Chain Report Reveals Use of Vulnerable Open Source Increased 120%, Despite Equifax Breach

Sonatype’s 2018 State of the Software Supply Chain Report


New data shows managed software supply chains are 2X more efficient and 2X more secure

FULTON, MD – September 25, 2018 – Sonatype today released its fourth annual State of the Software Supply Chain Report which found that software developers downloaded more than 300 billion open source components in the past 12 months, and that 1 in 8 of those components contained known security vulnerabilities.

The comprehensive benchmark report incorporates a combination of public and proprietary data to examine patterns and practices underpinning open source software development and modern software supply chains. Key findings in this year’s report include:

Managed software supply chains are 2X more efficient and 2X more secure
Automated OSS security practices reduce the presence of vulnerabilities by 50%
DevOps teams are 90% more likely to comply with open source governance when security policies are automated
The window to respond to vulnerabilities is shrinking rapidly
Over the past decade, the meantime to exploit security vulnerabilities in the wild has compressed 400%, going from an average of 45 days to just 3
Hackers are beginning to assault software supply chains
Over the last 18 months, a series of no less than 11 events triangulate a serious escalation of attacks on software supply chains
These assaults, which include hackers injecting vulnerabilities directly into open source releases, represent a new front in the battle to secure software applications
Industry lacks meaningful open source controls
1.3 million vulnerabilities in OSS components do not have a corresponding CVE advisory in the public NVD database
62% of organizations admitted to not having meaningful controls over what OSS components are used in their applications
Governments are stepping in, as enterprises struggle to self-regulate
19 different governmental organizations around the world have called for improved OSS security and governance
Supply, and demand for, open source shows no sign of slowing down
More than 15,000 new or updated open source releases are made available to developers every day
The average enterprise downloaded 170,000 Java components in 2017, up 36% year over year
Supporting Quotes:

Wayne Jackson, CEO, Sonatype

“As open source accelerates to its zenith of value, the underlying fundamentals of the ecosystem and the infrastructure supporting it, are increasingly at risk. A series of high profile and devastating cyber attacks last year demonstrated the intent and ability to exploit security vulnerabilities in software supply chains. This year’s report proves, however, that secure software development isn’t out of reach. The application economy can grow and prosper in regulated, secure environments, if managed properly.”

Gene Kim, Researcher and co-author of “The Phoenix Project,” “The DevOps Handbook,” and “Accelerate”

“We live in an age where the majority of the software we deliver is not written by us — instead, we rely on a huge and sprawling software supply chain of open source components. As valuable as open source software has become, there is a significant and hidden economic cost of using these software dependencies. One of the most telling indicators is that some of the highest-profile security breaches in the last year were due to not using the most current component versions, which enabled software vulnerabilities to be exploited to devastating effect. This report shows how critical the open source component ecosystem is to all of us, and the wide variance in practice in both the producers and consumers of open source software.”

Kevin E. Greene, Principal Software Assurance Engineer, The MITRE Corporation

“We are seeing more breaches in open source software because of the gravitational force that pulls features, complexity, and technical debt towards a software system over time, which make it very difficult to patch in a timely fashion Unfortunately, that hasn’t changed the consumption rate of open source software by developers. This is consistent with what I believe is a growing concern…that developers may have surrendered to the idea that all software is vulnerable and have known vulnerabilities. We must give developers better supply chain options where quality and security are intrinsically designed-in.”

DJ Schleen, Security Architect and DevSecOps Idealist, Fortune 50 Insurance Corporation

«Only a decade ago, you’d look under the hood of the software your business buys and see a black box. Today we have the opportunity to open the hood to see the engine and all of its parts. Consumers and high performing DevOps organizations alike should not accept the risks of having known vulnerable open source components in their products. While new regulations begin to address the problem, this is one that good corporate citizens should have taken care of themselves.”

Hasan Yasar, Technical Manager and Adjunct Faculty Member, Carnegie Mellon University

«In 476 B.C. Master Sun (The Art of War, Sunzi Sun Tzu) said “know yourself, know your enemy and you shall win a hundred battles without loss.” The same is true when it comes to software development in 2018. If we know what we have in our code – including OSS – (ourselves) and know where vulnerabilities are (our enemy), then we can create secure software. As the use case for OSS only gets stronger, this year’s State of the Software Supply Chain Report once again shows that OSS vulnerabilities are growing exponentially. We can not simply ignore the problem anymore, we must know the enemy in order to defeat it.”

Scott Crawford, Research Director – Information Security, 451 Research

“As with any technology, open source software (OSS) components deliver many unique advantages. They also come with their own set of risks: licensing issues and exposure to known security vulnerabilities are two of the best known. Before an organization can assess these exposures, an accurate and up-to-date inventory of OSS components is required. This year’s State of the Software Supply Chain report shows that too many organizations are still failing at this most basic line of cyber hygiene. In fact, more that 62% admitted to not having meaningful controls over what OSS components are used in their applications.”

About the State of the Software Supply Chain Report

The 2018 State of the Software Supply Chain Report blends a broad set of public and proprietary data with expert research and analysis. This year’s report highlights new methods cybercriminals are employing to infiltrate software supply chains, offers expanded analysis across languages and ecosystems, and more deeply explores how government regulations are likely to impact the future of software development.

Additional Resources

Read the 2018 State of the Software Supply Chain report
Read our blog
Create a software Bill of Materials for free
Learn more about Sonatype software supply chain automation solutions
About Sonatype

TPG Leads $80 Million Investment in Sonatype

Capital to Fuel Global Growth Requirements as Automated Open Source Governance Goes Mainstream

FULTON, MD – September 07, 2018 – Sonatype, the leader in automated open source governance, today announced an $80 million minority investment led by TPG, a global alternative asset firm, with additional participation by existing investors Accel, Goldman Sachs Group and Hummer Winblad. This capital will be leveraged to accelerate sales, marketing, and R&D investments, fund strategic corporate objectives, and expand Sonatype’s Nexus platform offerings now used by more than 10 million software developers and 1,000 enterprises worldwide.

“Open source ecosystems offer incredible value without any direct cost, and nearly everyone, whether individual developers, large enterprises, or government agencies, is reaping the benefit,” said Wayne Jackson, CEO of Sonatype.  “Open source innovation has never been more vibrant but, as with any software, there is also potential downside.  At Sonatype, we’re enabling organizations to confidently embrace open source so that they can both accelerate innovation and also mitigate risk. TPG is a great addition to our existing team of world-class investors and this transaction enhances an already strong balance sheet.”

Today’s IT leaders face intense pressure to accelerate the pace of software innovation while also improving security.  As a result, Gartner forecasts, “by 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% today,” wrote Neil MacDonald, David W. Cearley, Mike J. Walker, and Brian Burke in their 8 March 2018 report, Top 10 Strategic Technology Trends for 2018: Continuous Adaptive Risk and Trust.

“While the use of open source continues to grow exponentially, its unmanaged use presents significant security risks, as evidenced by last year’s breach at Equifax,” said Art Heidrich of TPG. “Sonatype has created a unique platform that addresses this rapidly growing and urgent market need. We look forward to working with Wayne and the Sonatype team to further realize the company’s potential.”

This news comes during a record year for Sonatype. Highlights include:

  • 81% increase in year-over-year sales in 1H 2018
  • 117% increase in year-over-year pipeline ACV /deal
  • 114% year-over-year increase in monthly application scans via Nexus Lifecycle
  • 1.5 million Nexus Repository users added since Jan. 1, 2018

Barclays acted as financial advisor to TPG in this transaction, which contained both primary and secondary funds. Wilson Sonsini Goodrich & Rosati served as legal advisor to TPG. Morrison & Foerster LLP served as legal advisor to Sonatype.

DevSecOps: How to Build Secure Pipelines and Prevent the Next Equifax

DevSecOps: How to Build Secure Pipelines and Prevent the Next Equifax

TLDR: attendees built their own automated release pipelines, secured them with Sonatype security scanning, and prevented the next Equifax. It was fun hacker awesomeness – go team!

According to a Security Architect at KPMG, “This was a great experience. Becoming a hacker for a day and building a pipeline that secures a real threat before pushing to production makes DevSecOps tangible and real.”

DevSecOps Helps Secure Enterprises

One of the challenges businesses face today is the mandate to be agile and release software faster while at the same time ensuring they’re not the next headline news for a major security breach. One of the biggest stories in recent cyber history was the Equifax breach. In 2017, Equifax was hacked and over 150 million individual’s private data was compromised. You and I were hacked and we didn’t have much choice. The sad truth is that a patch for the vulnerability that led to the Equifax breach (called CVE-2017-5638, which I’ll talk more about shortly) was available in February, but Equifax didn’t take action until nearly August. Their systems were compromised for about two and a half of those months.

Equifax lacked the proper culture and mindset to effectively prevent and remediate breaches like this. DevOps has tons to say about how to change culture to make our businesses more secure. In the context of security we call this DevSecOps. DevSecOps is just DevOps with an extra emphasis on security; it’s a way of saying – when doing DevOps, don’t forget about security!

Put in technology terms, if the goal of DevOps is Continuous Delivery, then the goal of DevSecOps is Continuous Delivery that doesn’t push vulnerable code to production.

To drive home this theme, we modeled this workshop in a way that would give practitioners a hands-on experience of securing a real cyber threat before pushing to production. To do this we built an automated release pipeline that would build a security vulnerable web-application, pull the built artifact from a Nexus repository, deploy the application into a separate environment for each stage of the pipeline, use Sonatype to run security checks on the artifact at each stage, and block deployment into production if any vulnerabilities were detected.

Let’s dive in a bit to see how this was done.

Get the Sample Web App

To start, we had each attendee fork a sample Apache Struts2 based web-application into their GitHub and configure a Jenkins server to point to their forked GitHub repo. Here’s my repository with the sample struts app, which we forked from https://github.com/Iletee/struts2-rce.

Next we had participants edit the Maven pom.xml of their sample application to point to version 2.5.10 of Apache Struts. Why? Apache Struts is a common framework used to rapidly build MVC based web applications. However, certain versions of the library contain the very security vulnerability that led to the massive Equifax security breach (called CVE-2017-5638). Version 2.5.10 is one of those versions.

So now our participants were configuring their web-applications to be built using that same security vulnerability. Cool stuff.

Create Your Pipeline

Once Jenkins was configured and the pom.xml updated we moved on to creating an automated release pipeline.

First we modeled the application in ElectricFlow and associated it with the applications’ WAR file stored in a Nexus repository (hosted on AWS). From there each participant built a pipeline from a predefined “pipeline-as-code” template, associated it with the app they just modeled, and pointed the Build pipeline stage to their Jenkins instance (also running in AWS) using the ElectricFlow Jenkins plug-in.

With this setup done, the Build stage of the pipeline would trigger a build in Jenkins (which would push the artifact to Nexus), and each following stage in the pipeline would provision an environment (also in AWS), pull the application artifact from Nexus, and deploy the app onto the target environment. At this point participants had fully working pipelines with automated build, gated stages, and automated deployments.

Secure Your Pipeline

Next participants used the Electric Cloud Sonatype plug-in to point their pipelines to a Sonatype security scanning server hosted in AWS so that each artifact would be scanned for vulnerabilities before being deployed. The most important aspect of security is early detection and getting feedback to the right people, which is why detecting security vulnerabilities in the release pipeline is extremely powerful. With Sonatype plugged in, participants now saw that when they ran their pipelines, their application failed to deploy into production because Sonatype detected critical vulnerabilities in the Struts2 WAR file, and based on this response the ElectricFlow pipeline blocked promotion to the production deploy stage.

Do Some Hacking

Now that our participants were securing the world, they wanted to play the bad guy. Since deploying a web application with a known security vulnerability to an AWS machine with a public facing IP is not what you’d call “security best practices”, we moved to the next portion of the workshop: local machines running Docker containers.

Here we had the participants pull down the WAR file they built (struts2-rest-showcase.war) to a local directory, along with the Dockerfile from the sample app in their GitHub repo, as well as a small hacker kit called exploit.py that targets the Struts2 vulnerability (a huge thanks to @Ilkka for coding this fun tool!) The Dockerfile is pretty straight forward; it just uses the application WAR file and Tomcat 7 to run a web server exposed on port 8080. We then had participants build the docker container and run it.

If performing this exercise at home, turn off your Wifi, because you’re now running a web-application with a known security vulnerability! Here’s how it looks:

Not too exciting. To give participants a visceral feel for the threat that these kinds of vulnerabilities pose we let them do some hacking of their own. The supplied ‘exploit.py’ is based off the Metasploit toolkit, and allows participants to exploit the Struts2 vulnerability. The Struts2 vulnerability we’re targeting is CVE-2017-5638, which allows injecting operating system commands into a web application via an HTTP request. With this tool, participants were able to run remote commands on their web server running in a local container, thus simulating a real attack. Here’s an example of running ‘whoami’ to see that we’re running as ‘root’ as well as viewing all the passwords used on the target web server.

Secure Your App

After having fun playing unethical-hacker, we used the Sontatype report to get a detailed look at the vulnerabilities present in the various versions of the Struts2 library (struts2-core) and found that version 2.5.13 was the first version released without any security vulnerabilities.

The final step in the workshop was to have participants update their app’s pom.xml to reference Struts2 version 2.5.13, and re-run their pipeline. Doing so yielded clean scans at all stages of the pipeline, and a successful deploy to production.

This workshop was a great opportunity for DevOps practitioners to get hands-on experience with a real world security vulnerability. They saw first-hand how critical it is for the technologies that businesses use to design, build, and release software to effectively detect, notify, and prevent vulnerabilities. The good news is, with the proper security tools and a robust continuous delivery process in place, we can look forward to a world with less Equifaxes.

The Importance of Having An Open Source Policy

Expert commentary on the 2018 Devsecops community Survey

Helen Beal, DevOpsologist | Ranger4

 

In 2017, 57% of all participants in the DevSecOps Community survey confirmed that, yes, they did have an open source policy. In 2018 this has risen to 64% – but 35% say they ignore it.

Breaking that down further: in 2018, 58% of those with no DevOps practices and 77% of those with mature DevOps practices reported having an open source policy. 46% of the former and 24% of the latter reported ignoring it. Effectively, that’s then just 12% of organisations with no DevOps practices actually using an open source policy, while 53% with mature practices are following internal regulations. Having, and using, an open source policy is then an indicator of mature DevOps practices.

The above begs the question: why are people ignoring the open source policies they have? It’s worth noting here that nearly half of survey respondents reported being in development or DevOps roles and less than 3% reported having AppSec or security specific roles. That number shouldn’t be a surprise alongside the discovery that developers typically outnumber security 100:1 (and, according to the survey, operations 10:1). But, perhaps what we can conclude is that it’s the developers who are ignoring the open source policies that are set by the security professionals in an organisation.

A principle of DevSecOps is that security is everyone’s job, not just one person’s job. Organisations reporting higher levels of maturity also report higher levels of this principle of thinking, phrased in the survey as: “Security is part of everyone’s role” – 91% versus 78%. Note though, that both these levels of acceptance can be considered high.

Is it concerning then, that there are low levels of acceptance of an open source policy? Is an open source policy a critical part of security policy and procedures?

First, let’s reflect on what constitutes an open source policy. There are several examples available on GitHub from Google, Linux Foundation, Rackspace and Zalando. A key focus of these examples is how these organisations create open source software themselves, rather than how they consume it, although Rackspace’s says:

“An open source policy exists to maximize the impact and benefit of using open source, and to ensure that any technical, legal or business risks resulting from that usage are properly mitigated.”

The benefits of using open source are obvious – why reinvent the wheel? The ability to scale development activities by consuming pre-built artifacts is clear. The appeal of using one technology that’s free rather than buying a licenced, chargeable piece of software is also apparent. But so are the risks – so it is concerning that some developers are simply ignoring the policies crafted and communicated for their organisations, likely for the sake of speed and costs.

IDG’s ‘Best Practices for Creating an Open Source Policy’ provides practical advice and names developers first in the list of stakeholders to include:

• “Developers – the people who will have to follow the policy

• IT staff, as they probably download and use open source software

• Managers of teams that use open source software

• Attorneys

• CIO and staff

• Technical architects; many companies have architectural committees, and they should be involved”

And they also include the qualifier: “the people who will have to follow the policy”. But it’s eight years since this article is written and this current survey tells us that many of the developers aren’t following the policy. “Ignoring” is a strong word – it suggests wilful obstruction. We know though that the vast majority of developers we work with take enormous pride in their work – they don’t want to create licensing and security issues for the rest of their organisation through the choices they make for the components in the software supply chain. But it’s just too hard for them to find out whether what they are about to download and incorporate into their application comes with what level of risk.

And they are not alone. The IDG article goes on to explain why you might need a background statement for your Open Source Policy, for example, when:

• “Management doesn’t know how much open source software the company uses or depends on

• There are widely varying opinions on how much open source software is used

• There’s an open source software rule or policy that conflicts with reality (e.g., «No open source allowed,» but your IT infrastructure is built upon open source software)

• There are big disagreements on how the company should use open source software”

The 2018 DevSecOps survey data also tells us that 38% of organisations have a complete bill of materials for each software application while 62% of organisations report that they do not have meaningful controls over what components are in their software applications.

This doesn’t have to be the case. We can automate all of this with tools like Sonatype’s Nexus Lifecycle. We can automate the bill of materials and make it visible to all where we might have open source components in a software supply chain and highlight the risks of using particular components whilst offering alternatives – and we can do this in the IDE, thereby taking the burden off the developer so they don’t ever have to sacrifice quality of their product for speed of delivery. You can automate your open source policy and break the 100:10:1 security constraint.

NEXUS CONFERENCE JUNE 6th – 7th Free-Live Online

NEXUS USER CONFERENCE

Who Should Attend?

Developers
Learn how to speed time to innovation and reduce MTTR from other Nexus developers.

DevOps Practitioners
Hear from other organizations how to integrate Nexus within a DevOps pipeline.

Security
Learn how to shift security practices left and automate DevSecOps.

OSS Governance
Learn how to automate open source governance policies and scale DevSecOps.

View schedule

 

Sonatype Nexus Named Best Open Source DevOps Tool

Sonatype Nexus Named Best Open Source DevOps Tool

Fulton, MD – March 22, 2018 –  Sonatype, the leader in open source governance and DevSecOps automation is proud to announce that Nexus Repository has been named Best Open Source DevOps Tool by Computing at the DevOps Excellence Awards 2018.

The distinction was announced on March 21 in London at the DevOps Excellence Awards gala where Computing recognized outstanding achievements from organizations, personalities and solutions operating within the DevOps space.

“Nexus Repository has become a defacto standard within DevOps toolchains worldwide and is simply the best way to continuously control binaries and build artifacts as they flow through the modern SDLC.” said Wayne Jackson, CEO of Sonatype. “We’re honored that Computing and the DevOps Excellence Award judges saw the value, and importance, in what we’ve built with Nexus Repository. This award further validates the choice that 10 million developers have made to use Nexus as their system of record for open source components, build artifacts, and release candidates.”

Supporting information:

Nexus Repository helps organizations build better, safer software – even faster – for free. It’s the only repository manager with free support for all popular formats, including Java, Docker, JavaScript, Ruby, Python, .NET, GitLFS and more.

Nexus Repository is characterized by a growing user base, powerful features and community support:

  • 10 million active users across 150,000 software development organizations
  • 115,000 repositories scanned daily for open source security vulnerabilities
  • Out-of-the-box integrations with leading DevOps tools including Jenkins, eclipse, IntelliJ, Docker, Puppet, Chef, OpenShift, Mesosphere, JIRA, Bamboo, Sonarqube, etc.
  • 44 free community-built integrations
  • 100+ free online videos providing user training and guidance
  • 50 DevOps reference architectures including Nexus

Ciberamenazas financieras en 2017

 – 

En 2017 vimos una serie de cambios en el mundo de las amenazas financieras que incluyeron la aparición de nuevos actores. Como ya hemos señalado en ocasiones anteriores, los ataques de fraude a servicios financieros se centran cada vez más en las cuentas de los usuarios. Los datos de los usuarios son herramientas clave para llevar a cabo ataques de fraude a gran escala. Las frecuentes filtraciones de datos, entre otros tipos de ciberataques, han puesto a disposición de los criminales valiosas fuentes de información personal que éstos pueden utilizar para tomar el control de cuentas ajenas o falsificar la identidad de las víctimas. Estos ataques que se centran en las cuentas de los usuarios pueden causar pérdidas adicionales, como las de datos y dinero, por lo que la mitigación de estas amenazas es de gran importancia tanto para las compañías de servicios financieros como para sus clientes.

Los ataques a cajeros automáticos siguieron aumentando en 2017 y atrayendo la atención de los cibercriminales, que atacaron las infraestructuras bancarias y sistemas de pago con sofisticados programas que no dejaban rastros de archivos, a la vez que siguieron usando métodos de ataque más rudimentarios como tapar las cámaras de vigilancia en circuito cerrado y perforar los cajeros. En 2017, investigadores de Kaspersky Lab descubrieron, entre otras cosas, ataques a sistemas de cajeros automáticos realizados con  nuevos programas maliciososoperaciones a distancia y un programa especial llamado Cutlet Maker que se vendía en el mercado negro de la DarkNet por unos cuantos miles de dólares junto con una guía de uso que explicaba paso a paso cómo utilizarlo para atacar los cajeros. Kaspersky Lab ha publicado un informe que describe los posibles ataques que los sistemas de autenticación de los cajeros automáticos podrían enfrentar en el futuro.

También hay que notar que los principales incidentes cibernéticos continúan vigentes. En septiembre de 2017, los investigadores de Kaspersky Lab identificaron una nueva serie de ataques selectivos que tenían como blanco al menos 10 organizaciones financieras en diferentes rincones del mundo, como Rusia, Armenia y Malasia. Las amenazas eran obra de un nuevo grupo cibercriminal llamado Silence. Los métodos que Silence empleaba para robar a sus víctimas eran similares a los del infame programa malicioso Carbanak.

Por lo tanto, Silence se une a la lista de las operaciones de robo cibernético más devastadoras y complejas, que también incluye a Metel, GCMAN y Carbanak/Cobalt, que han logrado robar millones de dólares a organizaciones financieras. Lo interesante de esta amenaza es que los delincuentes explotan la infraestructura de instituciones financieras ya infectadas para involucrarlas en nuevos ataques: envían correos electrónicos fraudulentos desde las direcciones de correo reales de sus empleados, junto con una solicitud para abrir una cuenta. De este modo, los delincuentes se aseguran de que el destinatario no sospeche del origen de la infección.

Las pequeñas y medianas empresas tampoco se salvaron de las amenazas financieras. El año pasado, los investigadores de Kaspersky Lab descubrieron una nueva botnet que se utiliza para inundar los equipos de sus víctimas con publicidad, sobre todo en Alemania y Estados Unidos. Los criminales infectan las computadoras de sus víctimas con el troyano clicker Magalaque genera vistas de anuncios falsas y hacen que los anunciantes ganen hasta 350 dólares americanos con cada máquina infectada. Las pequeñas empresas son las que más salen perdiendo porque terminan haciendo negocios con anunciantes inescrupulosos sin siquiera saberlo.

Y si pasamos de las amenazas grupales a las individuales, podemos decir que 2017 tampoco le dio mucho respiro a los usuarios individuales en cuanto a las amenazas financieras. Los investigadores de Kaspersky Lab detectaron NukeBot, un nuevo programa malicioso diseñado para robar las credenciales de los clientes de banca en línea. La industria de la seguridad conocía las versiones anteriores del troyano, como TinyNuke, pero éstas carecían de las características necesarias para lanzar ataques. Sin embargo, las últimas versiones funcionan a la perfección y contienen códigos que afectan a los usuarios de bancos específicos.

Aquí se resume una serie de informes de Kaspersky Lab que proporcionan un vistazo general de cómo ha evolucionado el panorama de las amenazas financieras a lo largo de los años. Incluye las estafas virtuales con que los usuarios se cruzan con más frecuencia, así como información sobre malware financiero para Windows y Android.

Los principales hallazgos que se detallan en el informe son:

Fraude electrónico (phishing):

  • En 2017, el phishing financiero aumentó del 47,5% a casi el 54% de todas las detecciones de phishing. Este es un máximo histórico, según las estadísticas de Kaspersky Lab sobre phishing financiero.
  • Más de una de cada cuatro páginas de phishing bloqueadas por los productos de Kaspersky Lab está vinculada con el phishing bancario.
  • En 2017, el 16% de los ataques phishing estaba relacionado con sistemas de pago y el 11% con ataques a tiendas en línea. Este porcentaje es sólo un poco más alto que en 2016.
  • Los usuarios de Mac tuvieron que lidiar con casi el doble de phishing financiero, y el porcentaje de estos ataques subió a casi el 56%.

Malware bancario:

  • En 2017, 767 072 usuarios sufrieron ataques de troyanos bancarios; es decir, un 30% menos que en 2016 (1 088 900).
  • El 19% de los usuarios atacados por el malware bancario fueron usuarios corporativos.
  • Los usuarios en Alemania, Rusia, China, India, Vietnam, Brasil y los EE. UU. fueron los que sufrieron este tipo de ataques con más frecuencia.
  • Zbot sigue siendo la familia de malware bancario más expandida (casi el 33% de los usuarios atacados), pero la familia Gozi (27,8%) le sigue muy de cerca.

Malware bancario para Android:

  • En 2017, la cantidad de usuarios que se toparon con malware bancario para Android disminuyó casi un 15% en todo el mundo, a 259 828.
  • Solo tres familias de malware bancario fueron las causantes de la gran mayoría de los ataques a los usuarios (más del 70%).
  • Rusia, Australia y Turkmenistán fueron los países con el mayor porcentaje de usuarios atacados por malware bancario para Android.

Data Protection By Design: GDPR Compliance Starts With Software

Data Protection By Design: GDPR Compliance Starts With Software

CommunityVoice™

Connecting expert communities to the Forbes audience.What is this?
Feb 23, 2018 @ 07:15 AM

Post written by
Brian Fox
Software developer, innovator, and entrepreneur who is most prominently known for his role as the CTO and co-founder of Sonatype, Inc.
Brian Fox Brian Fox , Forbes Councils

Software is no longer written from scratch — it’s assembled.

In fact, 80-90% of a modern application is built using open source software components. These free, packaged bits of reusable code are downloaded each year by the hundreds of billions. Every development team uses them to accelerate production and deliver new innovations. Every software application you use, at work or at home, is made up of them.

In today’s application economy, innovation is king, speed is critical and open source is center stage. While organizations are delivering software innovations at a quicker pace, one aspect of delivery is being gravely overlooked: security. Our research estimates that 1 in 18 open source components downloaded last year had a known security vulnerability. The security defects in these components are being assembled into finished goods in medical, defense, entertainment, financial services and every other industry, which leaves applications and their data, our privacy — and potentially our health — at risk.

When the innovation race is being run without proper oversight, getting to the finish line safely will require greater (and faster) care. That’s set to be a major challenge for organizations developing software under the forthcoming EU General Data Protection Regulation (GDPR).

Article 32 of the GDPR states that organizations must “implement appropriate technical and organizational measures” to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.” When combined with Article 25, which mandates that data protection measures be implemented “by design and by default”, it’s clear that privacy and security must become ingrained in every element of IT infrastructure.

If you fail to follow these rules and known software vulnerabilities end up inadvertently helping hackers steal sensitive consumer data, you could be on the hook for seriously big fines: up to €20 million, or 4% of global annual turnover — the greater of the two.

Equifax As A Cautionary Tale

In today’s economy, data is the new oil. It’s no wonder that applications are the top attack vector for hackers — data lives within applications. With attacks on the rise, businesses can no longer afford to ignore their poor software hygiene practices.
In 2017, it took attackers three days to find their way into Equifax, in what would result in the most notorious heist of the year. Data on over 145 million British and American customers was pilfered after hackers took advantage of a known security vulnerability in the Apache Struts2 open source software component. Equifax’s breach proved catastrophic for the company, resulting in multiple C-Level departures. However, had GDPR been in place, the company’s predicament would have been even worse. Under GDPR rules, companies must notify the public within 72 hours of discovering a breach or face penalties of up to €10M ($12 million) — or up to 2% of prior year revenue — whichever is higher. Equifax’s decision to wait 40 days before notifying the public would have led to a $60 million fine on top of the reputational damage it incurred.

Hardwiring Security From The Beginning

To avoid an Equifax-like fate and ensure GDPR compliance, appropriate safeguards must be put in place across the entire software lifecycle. Just as development practices have accelerated, so have the safeguards. Where tollgate types of compliance were once the norm, automation is now being used to apply high-speed guardrails within software development practices to keep innovation moving at the right pace.

The Value Of Embedded Intelligence

How can developers stay GDPR compliant and continue to deliver competitive innovations in a secure manner? In short, by embracing DevSecOps principles aimed at building in quality. In DevSecOps practices, governance and compliance guardrails are embedded early and throughout the software development lifecycle. Once manual reviews of component governance have been automated, developers will have transparent access to digital guardrails integrated with their own native tools — an approach that ensures security is being built in without slowing developers down.

The digital guardrails exposed to developers surface component intelligence instantly, telling them which components are good and which ones have security defects. When defects are flagged, developers are guided through remediation with automated intelligence that helps to identify safer component alternatives to use. These instant feedback loops detailing good or bad components have been shown to increase developer productivity by as much as 48% (registration required).

Today’s DevSecOps solutions deliver embedded analysis and intelligence across the entire software supply chain. Over time, this approach ensures developers procure the best open source components from the best suppliers, while continuously tracking components across the entire lifecycle.

The application economy can grow and prosper in regulated environments if it’s managed properly. Organizations that embrace DevSecOps practices across their software supply chains will not only accelerate innovations but will also stay secure, compliant and competitive.

Sonatype Reports Record Growth in 2017

Increased application hacks motivate companies to seek new ways to automate secure software development

Fulton, MD – January 16, 2018 – Sonatype, the leader in open source governance and DevSecOps automation, today announced a record 2017, including:

  • 75% increase in new sales
  • 125% net renewal rate
  • 72% increase in developers using Nexus, now 2.2 million
  • 150 new enterprise clients

Sonatype enterprise customers now include:

  • 8 out of 10 top banks in Europe and North America.
  • 8 of the top 10 US credit card companies
  • 6 of the top 10 US tech companies
  • 4 out of 5 US Armed Forces

To keep pace with demand, Sonatype increased headcount by 40% over the past 12 months, fueled by significant additions to its engineering and sales organizations.

Vulnerable applications are the number one attack vector leading to breaches. Traditional application security tools that function as ‘toll gates’ and impede progress aren’t working. As companies understand the need for ‘guardrails’ not gates, they’re turning to Sonatype to continuously automate security early and often throughout the development lifecycle.

“Sonatype invented automated OSS governance in 2012.  Since then, our Nexus platform has been helping software development teams govern their use of open source and third-party components so they can build higher quality and more secure applications,” said Wayne Jackson, CEO of Sonatype. “2017, however, was a special year; companies began to recognize the changing role of security in a DevOps world and a strong market for OSS governance emerged. The stage has been set for 2018 to be the year of DevSecOps.”

“By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017,” wrote Gartner analysts Neil MacDonald and Ian Head in their 3 October 2017 report, 10 Things to Get Right for Successful DevSecOps.  “In the past 12 months at Gartner, how to securely integrate security into DevOps — delivering DevSecOps — has been one of the fastest-growing areas of interest of clients, with more than 600 inquiries across multiple Gartner analysts in that time frame.”

 

Media Contact
Elissa Walters
ewalters@sonatype.com

logoSC

SIGUENOS

Twitter

Youtube

CONTACTO

Seguridad IT y Contravigilancia